I’d like to implement a user attribute that is encrypted by the user’s password which can then be accessed as a client protocol mapper. Here’s my use-case. Future releases of Nextcloud will allow setting a per-user encryption key via SAML:
While I can create a custom attribute for each user in Keycloak, it would be stored in plain-text. I’d like it to be encrypted by the user’s credentials, instead. I don’t think this is currently possible in Keycloak, and I think I can build it, but I thought I’d ask to see if it’s possible (and if not, maybe I could get some pointers).
I know, I know - I should use the getStoredCredentialsStream - I’m just not very good with streams, at the moment (my Java is rusty).
EDIT: Never mind. It looks like it’s stored in the DB in plain-text.
I managed to find a solution. It required creating a new SAML protocol mapper, password policy provider, adding an event listener, etc. Once I get it fully working, I’ll try to remember to come back and post a link to my code - it works quite well!